[matrix] encryption
Hej ! Jeg er The one with the [braid]
- Flutter developer from France
- Working on [matrix] in healthcare
- Contributor to various [matrix] projects
- I like trains
🦆2🦆 [🔐]
[matrix]
- per device keys
- one time
- fallback
- each device has different keys
- verification via SAS
- SSSS backup for key access
PGP
- key pair per person
- subitentities
- verification via keyservers
- private can decrypt everything
[matrix]
is
complex
Olm
- Key "session"
- Used to manage your keys
- Holds peer's device list
- Manages key sharing
Megolm
- Each key Olm encrypted
- Algorithm for event encryption
- Each message is individually encrypted
Cryptographic device onboarding
- Each device has its own public-private key pair
- This key pair is called signing key
- Canonical JSON content is signed using these keys to ensure integrity
- Each account has a ma
sterin key - Each device signing key must be signed using the main key to ensure authenticity
- Once the device is trusted it can upload megolm session keys generate fallback keys and receive encrypted content
Device signing bootstrap
- Device generates key pair and uploads to HS
- Cross-signing device keys using the main key
- Either the device can open the main key and sign itself (in case we are the first device or verify via SSSS recovery)
- Otherwise another device must sign the newly added key after verification (e.g. SAS verification)
megolm session keys
- Each key used to encrypt one event
- Only encrypt to verified sessions
- Fallback onto persistent, rotating fallback keys per megolm session
SSSS
Secure Secret Storage and Sharing
[ssss]
- Encrypted storage for megolm sessions
- Used for online key backup
- Contains cross-signing keys
root of [trust]
SAS
short authentication [strings]
SAS verification [methods]
- String comparison
- Emoji comparison
- QR code
- [your unknown fourth option]
cross [signing]
- If you receive your own master key, you sign it with your own device key
- If you receive a device key of your own account, you sign it with your own self-signing key
- If you receive another persons master key, you sign it with your own user-signing key
further [reading]
- https://spec.matrix.org/latest/client-server-api/#end-to-end-encryption
- https://matrix.org/docs/older/e2ee-cross-signing/
- https://blog.neko.dev/posts/unable-to-decrypt-matrix.html
matrix
By The one with the braid
matrix
Intoduction into [matrix].
- 190